Changes between Version 3 and Version 4 of SafeHaskell

Show
Ignore:
Timestamp:
11/08/10 00:37:29 (3 years ago)
Author:
David
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • SafeHaskell

    v3 v4  
    3939 * Likewise, {{{RULES}}} and {{{SPECIALIZE}}} pragmas can change the behavior of trusted code in unanticipated ways. 
    4040 
     41 * {{{OPTIONS_GHC}}} is probably dangerous in unfiltered form, as it could potentially expose packages with trusted but not trustworthy modules. 
     42 
    4143 * The {{{StandaloneDeriving}}} extension can be used to violate constructor access control by defining instances of {{{Read}}} and {{{Show}}} to examine and construct data values with inaccessible constructors. 
    4244 
     
    5355Either {{{-XSafe}}} should disallow {{{ {-# LANGUAGE MagicHash #-} }}} pragmas, or the {{{GHC.Prim}}} module might need to be split into two modules, {{{GHC.Prim.Unsafe}}} and {{{GHC.Prim}}}, where only the latter is safe. 
    5456 
    55 {{{-XSafe}}} should disallow the {{{FFI}}}, {{{TemplateHaskell}}}, {{{OverlappingInstances}}}, {{{StandaloneDeriving}}}, and {{{GeneralizedNewtypeDeriving}}} language extensions, as well as {{{RULES}}} and {{{SPECIALIZE}}} pragmas. 
     57{{{-XSafe}}} should disallow the {{{FFI}}}, {{{TemplateHaskell}}}, {{{OverlappingInstances}}}, {{{StandaloneDeriving}}}, {{{GeneralizedNewtypeDeriving}}}, and {{{CPP}}} language extensions, as well as {{{RULES}}} and {{{SPECIALIZE}}} pragmas. 
     58 
     59{{{OPTIONS_GHC}}} pragmas will have to be filtered.  Some options, (e.g., -fno-warn-unused-do-bind) are totally fine, but many others are likely problematic (e.g., {{{-cpp}}}, which provides access to the local file system at compilation time, or {{{-F}}} which allows an arbitrary file to be executed, possibly even one named {{{/afs/}}}... and hence entirely under an attacker's control). 
    5660 
    5761Libraries will progressively need to be updated to export safe interfaces, which may require moving unsafe functions into separate modules, or adding new {{{ {-# LANGUAGE Safe #-} }}} modules that re-export a safe subset of symbols.  Ideally, most modules in widely-used libraries would eventually contain either {{{ {-# LANGUAGE Safe -#} }}} or {{{ {-# LANGUAGE Trusted -#} }}} pragmas, except for internal modules or a few modules exporting unsafe symbols.  Maybe haddock could add some indicator to make it obvious which modules are safe.